How Congress can make cyber reforms real

By Dave McClure

Feb 10, 2015

In 2014, industry and government were rocked by major cyber breaches and attacks that highlighted continued vulnerabilities in security management. As a result, corporate and agency executives are beginning to pay attention to the business and customer impact rather than assuming security is the narrow and exclusive technical domain of chief information security officers and CIOs.

That change in attitude comes as IT is growing ever more pervasive via the interconnected systems, devices, monitors and sensors that make up the Internet of Things. New business solutions, emerging interactive technologies, innovative data aggregation and delivery options, and hyperscale infrastructure technology all require robust information assurance and privacy protections.

Congress, meanwhile, has passed several reform bills that are moving federal cybersecurity in a similar direction, and no less than eight committees and subcommittees in the House and Senate have announced intentions to hold cybersecurity-related oversight hearings this year.

Congressional oversight is critical to ensuring transparency and accountability for compliance with new legislation. So what can Congress do to more effectively oversee implementation of major cybersecurity reforms? Let me offer three suggestions based on my experience working for and reporting to congressional oversight committees:

1. Focus on fact-based discussions. Oversight is most effective when committees ask agencies for facts that demonstrate how cybersecurity dollars are producing tangible improvements. How have legal, regulatory, economic or mission impact risks been mitigated? Can the agency demonstrate that it is implementing security programs in a cost-effective manner? What is being done to simplify security insights to increase responsiveness and resiliency to changing threats? Is there a baseline against which progress in security capabilities can be objectively assessed?

Those questions demand attention and responses from agency leaders, not simply CISOs or CIOs.

2. Learn from leading best practices and avoid past mistakes. Security is not a one-size-fits-all affair. We must protect data at rest, in use and in transit rather than just protecting the system environments in which it resides. There are operational, technical and managerial controls that apply to any effective security management program, but risk management frameworks should result in risk profiles that vary across different agency missions.

Furthermore, with so much security now outsourced as managed services, clear contractor accountability for performance is essential. Congress should demand this focus from audit groups and the reports they issue to oversight committees. With governmentwide buy-in from the executive and legislative branches on a baseline set of controls (like the FedRAMP controls for cloud solutions), audits can become less of a guessing game.

3. Seek consensus on how to prioritize corrective security actions. At the Department of Veterans Affairs, the inspector general reported some 6,000 security risk findings and made 35 recommendations to the VA secretary as part of the agency's required reporting under the Federal Information Security Management Act.

But how can VA or any agency possibly address the thousands of findings and related recommendations? What is attributable to lack of management support and execution versus inadequate budget resources or poor budgeting practices? Are resources within existing budgets available to shore up weaknesses, and if so, how can they be prioritized? To my knowledge, neither the auditors nor the VA produced a cost estimate for full compliance with audit recommendations.

Given the vast array of policy, process, managerial, technical and operational demands that are in play, at least some degree of consensus on risk-based priorities is paramount. Agency leaders, inspectors general and the Office of Management and Budget all have important parts to play, but Congress can have a special role in ensuring that viable security solutions are put in place.